CVE-2026-41206

Vulnerability Description

PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. Prior to version 0.1.8, the blocklist implemented in `PluginSecurity.validate_plugin_code` is incomplete and can be bypassed using several Python constructs that are not checked. An attacker who can supply a plugin file can achieve arbitrary code execution within the PySpector process when that plugin is installed and executed. Version 0.1.8 fixes the issue.

Vulnerability Details

Published Date

April 23, 2026

Last Modified

April 23, 2026

CWE ID

CWE-184

Source

NVD

Vendor

ParzivalHack

Product

PySpector

External References

https://github.com/ParzivalHack/PySpector/commit/3c9547157fc07396f22b26b3484a9a91eba98555
https://github.com/ParzivalHack/PySpector/commit/4e279e078c53d760fd321ff9b698d683c65ccb8e
https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-vp22-38m5-r39r

CVE-2026-41206

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment